Safetech Bloghttp://blog.safetechinnovations.com
Security Tips and TricksTue, 25 Jul 2017 10:04:46 +0000en-UShourly1https://wordpress.org/?v=4.5.9Billu-b0x Write-uphttp://blog.safetechinnovations.com/challenges/billu-b0x-write-up/
http://blog.safetechinnovations.com/challenges/billu-b0x-write-up/#respondTue, 25 Jul 2017 08:31:06 +0000http://blog.safetechinnovations.com/?p=571Read More ]]>This write-up is for Billu-b0x CTF machine hosted on Vulnhub https://www.vulnhub.com/entry/billu-b0x,188/ This is one of those challenges focused on real-world technical vulnerabilities and this is why I like it.

In my setup, the machine is using 172.16.100.86 IP address and I started with a nmap scan:

Running nikto on the web server will get us the following information:

Not very much useful info, so we continue to do a bruteforce for directories using dirb with some common dictionaries, and we get interesting results with:

dirb http://172.16.100.86/ /usr/share/dirb/wordlists/big.txt

So we have some new things to play with… a phpmyadmin instance and other files, like http://172.16.100.86/test which is returning us a “promising” error message:

A “file” parameter… a “file path” … hmmm this could get us to a LFI. Couple minutes later after some tries, we have a nice working LFI:

This LFI wont get us to a code execution (yet), but at least we can learn important things about the system, we can read the web application’s code and find sensitive data.

Reading through PHP files code, in c.php we discover the credentials for the mysql database:

We use these credentials to connect to phpmyadmin application. In the database, we discover the credentials to the main web application:

Now that we have access to the web application we start investigating it for new vulnerabilities…there is an upload form but after some tries and errors we look at the code through the LFI and realize that this won’t get us to command execution. Being stuck for a while we start reading the code of the application’s files and we get another LFI in panel.php. Now things can go to the “right” direction…we have an upload form which is allowing us to upload image files and we have a “good” LFI – you know, the kind that includes your files content into a PHP code file. We upload our crafted image file which has php code injected into it and run the code through the LFI:

Time to have a shell, righ? Well..not that fast, but anyway here it is:

Having the shell we start enumerating the machine, running Linenum ( https://github.com/rebootuser/LinEnum ) is always a good ideea. After short time we realize that this machine has very few services, no juicy data home folders…no permission issues, so kernel exploitation could be the fastest way to root. We grab an exploit for http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html and bingo! I am (g)root!

This was a nice vulnerable machine, good example of web exploitation and chaining exploits together. Thanks to the author @indishell1046 and of course thanks to our friends from @vulnhub !

48 total views, no views today

]]>http://blog.safetechinnovations.com/challenges/billu-b0x-write-up/feed/0CTF-USV Writeuphttp://blog.safetechinnovations.com/challenges/ctf-usv-writeup/
http://blog.safetechinnovations.com/challenges/ctf-usv-writeup/#commentsFri, 09 Dec 2016 11:24:08 +0000http://blog.safetechinnovations.com/?p=521Read More ]]>This Write-up is written after CTF-USV 2016 contest, where students had the challenge to conquer 7 flags. We used the Facebook CTF Platform, where each flag had assigned a country.

The theme of the Capture the Flag contest was Game of Thrones. Everyone is watching the series, right?

Running nmap a LOT of opened ports were displayed:

Trying with amap tool to fingerprint the opened services we noticed some strange banners to most of the opened ports.

After a quick search on google we might have a clue why we have so many ports opened:

Looks like portspoof tool is used to confuse the potential attacker by opening a lot of ports.
We tried to focus on well-known services first, and see where this will get us.
On port 80 there is a web server running, but we receive an Access forbidden message:

Looking at the Http Headers we quickly notice a string that seems to be base64 encoded in X-XSS-Protection header:

The result of the string decoded is our first flag:

Croatia Flag: 0c326784214398aeb75044e9cd4c0ebb

We continued to look on common services and we tried to connect to SSH server. Of course I didn’t hope that I would also find a valid password, but I was curious if there is a banner.

A dragon says welcome to the curious visitors

Looking closer at the image with the dragon, can be observed that is something connected with AES ECB. Below the dragon is an encypted string, and near to the dragon’s tail is the key.

With an online application for AES decryption, the second flag was revealed:

Italy Flag: 0047449b33fbae830d833721edaef6f1

So, what other common services are there?

Well, there is a Mysql server on TCP 3306 and a Squid proxy server – not on 3128 TCP but on 3129 TCP port…. this is too close to be unintentional.

What if we set it as a proxy in our browser and try to access that web server on port 80 again?
30 seconds later this page was displayed:

By firing-up nikto, taking into account that you have to use the command with the proxy defined, a directory /blog will be found, among other information.

Indeed, we found the blog of The Seven Kingdoms

We analyzed the information on the blog and two posts caught our attention: one of them is password protected and the other one is entitled “I have a message for you!”

The picture was analyzed for metadata; apparently in the source code of the web page there was nothing interesting, except for a folder named hodor where the picture was stored. Going to the folder there was another clue, a zip archive named – what else – hodor.zip, containing a file named hodor:

Extracted file from the archive contains a „JFIF” header. I renamed it with .jpg extension and here is our third flag.

This translates to :

Portugal Flag: a2663b23045de56c7e96a406429f733f

Now, let’s return to the other post…password protected. Trying to centralize all the information gathered, nothing ring a bell …just that we have a password and that we have to crack it.
From our experience as penetration testers, it is always a good idea to build a custom dictionary based on the application tested.
A useful tool for generating a dictionaty based on words on a website is cewl….and the password for the protected post is Westerosi. With this we’ve got our fourth flag:

Paraguay Flag: 4761b65f20053674657c7e6186628a29

Now that we get rid of Hodor, seems that Khaleesi, mother of dragons has something to hide. But where?
Thinking again at all the services that nmap revealed, that “She uses Field Training Preparation for her army” and also about what kind of service could possibly have a name and a password, we could try a brute force on each service, having the username: mother_of_dragons.

In the post says that “the password is in front of your eyes”, so why won’t you try: “in front of your eyes” as the password? A little bit tricky, right? >:)
The FTP service, that is on port 21211 resulted to have the credentials “mother_of_dragons” and “in front of your eyes”.

On the FTP, there are two files, a readme.txt which will lead us to a hidden note.txt. The message of the note is:

Next step is to login into wordpress with the user: mother_of_dragons and the password composed of her children’s names. With a little search on google, you can find out that the name of the dragons are: Drogon, Viserion, Rhaegal.

In Daenerys’ profile can be found the fifth flag:

Thailand Flag: 6ad7965d1e05ca98b3efc76dbf9fd733

Now that we have acces to the wordpress with administrative rights we can execute commands and obtain reverse shell.

I edited one of the themes file, put some php code in it, and the reverese shell is here:

I start looking for various information on the system like runnig processes, which users accounts are present and so on…when I looked on the home folder of http user , I found the sixth flag.

This decodes to:

Mongolia Flag: 6b49c13cccd91940f09d79e142108394

Also in /srv/http/ folder there is a file named winterfell_messenger, which is owned by root and has setuid bit set. We tried to run this binary to see what happens:

We analyze the binary with strings tool and observe that it uses cat command to read /root/message.txt file. The interesting thing is that cat is used with a relative path and not with absolute path. This means that we might manipulate PATH environment variable, create a file named „cat” with some arbitray commands in it, and execute it as root

Once we are root, the seventh flag is ours:

Somalia Flag: 4a64a575be80f8ffab26b06a958bcf34

That`s all folks!

We hope you will enjoy getting all the flags at least as much as we enjoyed creating them

6,466 total views, 2 views today

]]>http://blog.safetechinnovations.com/challenges/ctf-usv-writeup/feed/8Breach: 2.1http://blog.safetechinnovations.com/challenges/breach-2-1/
http://blog.safetechinnovations.com/challenges/breach-2-1/#commentsWed, 31 Aug 2016 12:25:14 +0000http://blog.safetechinnovations.com/?p=425Read More ]]>Dear all, this day I will present you my way of exploiting the vulnerable machine-Breach 2.1. Many thanks to @mrb3n813 and @VulnHub.

The browser will display a photo. I’ve tried to search for more information, so I used Exiftool, but unfortunately no medata found. Next step was to look on the page source, and there I could read a message, that can be observed in the second print screen:

One of the hints for the web server is the blog. To be sure, I also used the dirb, to do the brute force .

Seems like an old PHP blog engine is running, so there are a lot of chances to find exploits/vulnerabilities.

Connecting all the information, like Peter is visiting the blog often, the picture on the main page of the web server mentioning Beef, I started to think for a client side exploit. Looking over exploit-db there are a lot of exploits for blogphp, including SQLi and persistent XSS.

I exploited the SQLi but the username is blank and the hash of the password will also lead to a blank charcter, so no important data here.

In short time a Firefox browser has connected to Beef giving us hope that indeed client side exploitation is the way to go.

To exploit this browser we’ll use the metasploit framework. After some tries and errors we decided to use firefox_tostring_console_injection exploit. Using again the persistent XSS from register.html webpage I injected an iframe that will point the Firefox browser to our metasploit web server.

Now, we are connected as user Peter and we can start our journey to get root. I did some enumeration, like what files are readable in other users folders, what services are running, kernel version, special permission files etc. but nothing popped-out. Then, by listing the network services that are running on the host, we observe that not only ssh (65535) and http (80) are running but also an unknown service is present on port 2323/localhost and mysql is listening also on localhost.

Next, we are asked for login. After some tries with combinations of peter, milton and blumbergh users and Houston, we are able to login with milton/Houston credentials. Next, another challenge must be passed – we are asked „Whose stapler is it?” What would Milton respond? Of course, „mine”

Now that we are logged in as milton, we are curious to take a look on his login/profile scripts, which certainly are executed when someone telnets on 2323 port.

cat /home/milton/.profile
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
python /usr/local/bin/cd.py
sudo /etc/init.d/nginx start &> /dev/null

Here we find a script /usr/local/bin/cd.py that is responsable for asking the stapler question, and also we observe that a new web server (nginx) is started – so we can assume that we will find another port open – wich is 8888.

Here we have an oscommerce application ready to be broken.

Returning to our shell we also noticed that nginix is running as root user, so by exploiting the application we might obtain root privileges.

I suddenly remembered that we have a mysql running on the host, and I returned to the shell console and tried to connect to it.

As we already know various information of the machine – like running prcesses, special files, and so on and we do not need to do that one more time as blumbergh, we try to see what commands is blumbergh allowed to run through sudo and we discover that he can run tcpdump as root. Thinking that this might be it, I documented about tcpdump looking for some ways of executing arbitrary commands. The man page and previous experience were important and we got to the following syntax:

sudo tcpdump -i eth0 -Z root -z /tmp/breach -w /dev/null -W 1 -G 1

The /tmp/breach file should contain whatever command we would like to be executed as root, so we will put a classic nc reverse shell connection in it.

]]>http://blog.safetechinnovations.com/challenges/breach-2-1/feed/1PwnLab:init Walkthroughhttp://blog.safetechinnovations.com/challenges/pwnlabinit-walkthrough/
http://blog.safetechinnovations.com/challenges/pwnlabinit-walkthrough/#respondFri, 26 Aug 2016 08:44:16 +0000http://blog.safetechinnovations.com/?p=377Read More ]]>Thanks to Claor @Chronicoder and VulnHub folks for the opportunity of writing another walkthrough for a very challenging vulnerable machine.
First thing first, I fired-up nmap. Usually I do that, run nmap and after that nikto.

As it can be observed, only two ports are of interest: 80 (for HTTP) and 3306, on which runs mysql.

Starting out nikto, it will reveal the following information:

On port 80 there is an web application with an upload section but in order to upload files we have to be authenticated:

The URL structure indicates that the application might be vulnerable to Local File Inclusion.

After some tests, I succeeded to include files from the server by using php://filter/convert.base64-encode/resource method, which seems to be the only way of reading files.

The browser will display the source code of upload.php file encoded in base64:

With the same technique I have read the source code of all the php files available. In index.php a piece of code caught my attention:

<?php

//Multilingual. Not implemented yet.

//setcookie("lang","en.lang.php");

if (isset($_COOKIE['lang']))

{

include("lang/".$_COOKIE['lang']);

}

// Not implemented yet.

?>

It looks like another way of doing local file inclusion and a quick test shows that it works as expected:

I took into consideration the results of nikto, that revealed the existence of a config.php file and using the above technique we can get the source code of this file:

<?php

$server = "localhost";

$username = "root";

$password = "H4u%QJ_H99";

$database = "Users";

?>

We remembered that the machine has mysql port opened, and now that we have credentials for the database we can connect to it.

Also in the database I discovered the users and base64 encoded passwords to log in into the web application.

Now that we have the credentials we can log into the application and find our way to execute commands on the operating system.

The next step is to upload a file with php code, but soon I realized that is not an easy job to do. Having the source code of the upload.php file I was able to see that the application restricts the extensions, verifies that the content-type contains image and also verifies the mime-type. So there is no other way to upload a file with php extension.

What we can do is to upload a text file with gif extension, put php code in it, and start the file content with a valid gif header.

The file is uploaded in /upload folder, having the original file name transformed in its MD5 hash.

Now we can use the LFI present in lang cookie, to execute our uploaded shell.

Now is time to enumerate various information of the system, even use Linenum script to have comprehensive information, but no low hanging fruit was found.

Doing a quick review of the information that we gathered so far and trying to match everything, I realized that I have some users and passwords from mysql database, the same users are present on the system (/etc/passwd)…maybe the passwords are also valid on the operating system.

We observed a file called msgmike in kane’s folder, that is owened by user mike and also has setuid bit set.

Running the file we see that it generates an error about a missing file in mike’s home. Analyzing msgmike binary with strings tool we observe the full command that is used and also that a relative path is utilized when running cat and this gives me an idea.

We can manipulate the PATH environment variable and point to a different catprogram, one that will do a shell spawn for us

We modify PATH to begin with /tmp – the location where we will create a file named cat.

#!/bin/sh

echo "#\!/bin/sh" >/tmp/cat

echo "/bin/sh" >>/tmp/cat

Now it`s time to run msgmike again and get our shell as mike user:

In mike’s home folder we also find a binary that is owned this time by root and has setuid flag set. Running it, it prompts for some input that it echoes back and closes.

Analyzing the binary with strings tool, we discover the command that it is used.

It looks like command injection might be possible, and we give it a try.

An now, by the power invested in me by the state of root, I present you the flag.txt content:

4,028 total views, no views today

]]>http://blog.safetechinnovations.com/challenges/pwnlabinit-walkthrough/feed/0Tommy Boy 1 Write-uphttp://blog.safetechinnovations.com/challenges/tommy-boy-write-up/
http://blog.safetechinnovations.com/challenges/tommy-boy-write-up/#respondWed, 03 Aug 2016 07:23:31 +0000http://blog.safetechinnovations.com/?p=319Read More ]]>If you came here just for the last flag, here it is:

YOU CAME.
YOU SAW.
YOU PWNED.
Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.
GREAT WORK!

That’s all folks! Thanks for reading this!

And now, if you want to know the story of TommyBoy machine, let’s start from the beginnig.

This challenge has a story, and quite an enjoyable one IMHO and this will make things more interesting and pleasant.

HOLY SCHNIKES! Tommy Boy needs your help!
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. - who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!
You'll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business :-(
Objective
=================
The primary objective is to restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

After classic nmap port scanning, services fingerprinting and so on we open the browser and point it to port 80 of the machine where we suppose there should be the Callahan Auto’s website:

On the source page there are a few messages (but very useful – eg. indicating that on this machine is a blog) .. I will keep all this info in my notes.

Next step in information gathering is to search for robots.txt. I had a nice surprise to find my first flag here:

Next step was to download the images found in robots.txt, analyze them with Exiftool with hope that will find some hidden metadata. No luck here! L

Returning to the information from the source page, I visited youtube: https://www.youtube.com/watch?v=VUxOd4CszJ8 for a hint to the path for the blog. I’ve tried prehistoricforest, and it worked. This was the key for the blog;

Reading the posts and comments on the blog new useful information is revealed and we have also a password protected post that must be important.

Accessing the indicated URL in the browser will get us the second flag:

From another comment on the blog, we get information that there is a folder named /richard.

Analyzing with Exiftool the .jpg file in that directory, I discovered a comment that seems to be an MD5 hash. Putting it on hashkiller the password is instantly found: spanky. This will unlock the password protected blog post.

Coming back to the blog I was able to use the password „spanky” to see the content of the protected post.

Having the information above the FTP port is easly found on tcp 65534. After some tries we found the valid password which is the same as the username: nickburns.
On the FTP server we found the following message in a file called readme.txt :

Using the information from this message correlated with open ports from nmap scan, we quickly identified the folder.

Honestly, I spent some time to figure it out how to go further, and finally Steve Jobs name ringed a bell and I thought of modifying the user agent of the browser to include the iphone string.

We started our favorite web brute forcing tool – wfuzz, and identified the name of html file which is fallon1.

The password is bevH00tr$1995
Nice… so many passwords… this will give us access to a passwords.txt file in which … you guessed it, there are other passwords and hints

Now we have a piece of bigtommysenior SSH password and we are supposed to find the rest on a draft post in the blog. For this we need to guess the password in wordpress of user tom – discovered after a quick enumeration with wpscan. Here it was interesting… the hint indicates us that the password might be a song by Queen. Grabbed an extensive list of queens songs from wikipedia :), put them in a file and started to bruteforce – but nothing… phase one. Took the list, removed spaces, started bruteforce again, still nothing…phase two. Took the list, modified case to lower, eliminate some non alphanumerical characters, started bruteforce…but no hit… phase three. Took the list, inputed it in john to obtain permutations, started bruteforce…still nada phase four. I seriously started to question the password has something to do with a Queen’s song.

As a last resort, took 10_million_password_list_top_1000000.txt dictionary and started the “start and forget” bruteforce. After some time, when I returned to the console….incredible, we have a hit – the password is tomtom1 . It took me some time but here it is.

Armed with this information I logged on the blog and got the rest of the bigtommysenior SSH password.

Now we finally can log in through SSH and find our flag number four:

Next we restore the callahanbak.bak to /var/www/html/index.html to have the site back:

Now we are heading for the last flag… a listing in the root of the server reveals the flag’s name and permissions, which are somehow strange, because the file is owned by user www-data:

All we need is to start a webshell which will run under www-data privileges and we will be able to read the file, or get root and have all the privileges.

Remembering the http://172.16.100.69:8008/NickIzL33t/ folder and it`s function as a sort of dropbox, I have located it on the server and found out another path which has an upload function:

Uploaded some files, tried some tricks to put an PHP file on the server, but the application seems to validate the uploaded files pretty well, allowing only certain media extension files. Having ssh access to the machine is an advantage, allowing me to look at the PHP code and read other files also. Looking on .htaccess file I found an interesting “backdoor” that will allow execution of .gif files as PHP.

So, now that we know this, upload a file with PHP code but with .gif extension to the server and just read the /.5.txt file contents:

Now, all we have to do is put together all the flags as a big, big password and decrypt the LOOT.zip file to get the last flag which is shown at the beginning of this article.

Thanks to the author of the VM @7MinSec and @VulnHub team for hosting it!

1,606 total views, no views today

]]>http://blog.safetechinnovations.com/challenges/tommy-boy-write-up/feed/0Mr. Robot Write-uphttp://blog.safetechinnovations.com/uncategorized/mr-robot-write-up/
http://blog.safetechinnovations.com/uncategorized/mr-robot-write-up/#respondFri, 15 Jul 2016 07:37:40 +0000http://blog.safetechinnovations.com/?p=285Read More ]]>Being a fan of the series Mr.Robot, I decided to exploit this vulnerable machine added by Jason.

Someone once said that the best way to be prepared for a hack when it happens, is to be hacked. So, let’s hack Mr. Robot

Starting with enumeration, I fired-up nikto, that reveals a lot of useful information:

I’ve tried also nmap, but the opened ports are only on 80 and 443. No sneaky port here.

Checking the results of nikto, reveals that on this machine is a file robots.txt. Need to verify this…and..voilà:

Key-1-of-3 seems to be our first flag

I’ve saved the dictionary locally, maybe later it will be useful for a brute force or something. Add in the URL /key-1-of-3.txt and received the content of the file: 073403c8a58a1f80d943455fb30724b9

But nikto revealed also a /wp-login.php and had to see what I can get from it.

Let’s try some usernames and passwords. Thinking of the characters from the serial, I’ve checked for Mr Robot, and after that for Elliot. The result is awesome, taking into consideration that was the second shot for the username:

Seems that the password I entered is incorrect. First thing in mind: brute force with Intruder.

Running wpscan to enumerate the users will not work this time, but we can use wfuzz for this.

First we will optimize the dictionary file fsociety.dic as is full of duplicates:

cat fsocity.dic|sort| uniq > mr_robot.dic

Next, we will start wfuzz wich will try all the words in the dictionary file in about 3 minutes:

Brute-forcing the user elliot with Burp Intruder will give us the password:

After logging into the wordpress administrative interface we need to find something else to get to the second flag.

One of the most common ways to execute commands while having administrator rights in wordpress is to try to upload a PHP file or insert some PHP code into one of the template`s files. Go to Apperence > Editor, and on the right of the page choose 404 Template, and insert here the PHP code that will initiate a reverse-connection back to our kali machine.

We continue by doing some enumeration, like finding what users are present on the system:

We notice the user robot and we find in his home directory our next hint:

By doing a quick look-up on google with the MD5 hash, we have now what it seems to be the password for robot user. This will take us to the second flag:

Now it’s time for some more enumeration in order to escalate our privileges to root.

Looking for files with special permissions will return as nmap among other files:

We remember an article from Go Null Yourself e-zine called Stupid shell tricks which can be found here: https://www.exploit-db.com/papers/18168/ where nmap interactive mode is mentioned as a mean of backdooring a system and we try to exploit this “feature”:

Challenge done! The third flag was discovered.

2,784 total views, 1 views today

]]>http://blog.safetechinnovations.com/uncategorized/mr-robot-write-up/feed/0Stapler Writeuphttp://blog.safetechinnovations.com/challenges/stapler-writeup/
http://blog.safetechinnovations.com/challenges/stapler-writeup/#respondWed, 06 Jul 2016 18:31:38 +0000http://blog.safetechinnovations.com/?p=245Read More ]]>In this article I will present you the way I have completed the Stapler machine challenge hosted on Vulnhub. Stapler is particularly interesting because it allows you to perform and obtain a lot of various information through enumeration – one of the best machines for this actually – thanks to @g0tmi1k for this!

Quite a lot of interesting ports are revealed, and we have some interesting data to be written down: a potential user named Tim and a company named Initech.

Having learned from previous experiences that amap tool – while old – could help with more information from fingerprinting the services, I gave it a shot:

Amap proves to be useful, giving us more usernames (Harry, Dave, Pam) that we will try to use later, and other interesting information…like for port 12380 that matched http protocol, but also ssl and ntp (?)… we will check that later.

Now, we will take the information we have about open ports and will try to find our way in…

1.1 Port 21

We connect to FTP service with anonymous account, we also notice the banner that we already knew from amap. On the FTP server we find a file named note with the following content:

1.2 Port 22

Connecting to ssh will reveal a new potential username from the banner:

1.3 Port 80

Seems to be a light HTTP server, no banners, no headers… running nikto against it will reveal two files from a user`s home dir:

http://172.16.100.63/.bashrc
http://172.16.100.63/.profile

I have tried a more advanced directory and file bruteforce with wfuzz, but no other files were found

1.4 Port 139 – SMB

Listing the shares will give us some more information… two shared folders (kathy and tmp) and two potential new usernames (kathy and fred):

Browsing shares will give us more information and interesting files

1.5 Port 666

Running a netcat against it reveals that there is a binary content, and a string message2.jpg indicates us that it might be a picture…after downloading it we realize that it is not viewable or it is corrupt, or it is something else – an archive:

Finally, opening message2.jpg will reveal new information:

1.6 Port 12380

Opening it in the browser shows us a website… we note the title of the page, which include information about another potential user – Tim:

Looking through the source code we find an interesting message:

And… this is pretty much everything, no other files or directories were found.

Having in mind that amap also matched port 12380 as ssl, we also try to access it over https:

This is kind of strange – having http and https on the same port, I guess the web server was intentionally misconfigured.

Running nikto against the https version will give us some hints to go further:

nikto -h https://172.16.100.63:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.100.63
+ Target Hostname: 172.16.100.63
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2016-06-16 13:22:10 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '172.16.100.63' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.

So we have an /admin112233 and an /blogblog paths. While I will let you discover what is behind /admin112233 path , we will further focus on https://172.16.100.63/blogblog which is an wordpress CMS.

2. Exploitation

We start by running wpscan against the website to gather intelligence about potential plugins that are used and other information:

Going to the frontpage we will identify the path of the created “thumbnail” file and download it:

Of course this is not a picture, but the whole wp-config.php file which will give us the credentials to the database:

Having so many usernames collected from various sources, we also started a brute-force attack on wordpress administrative interface and got some accounts, but none of them is administrator of the blog:

Having a username (root) and password on the database server we think of another plan….

Connecting to mysql works – so considering that we are root and have all privileges, we will create an web shell through mysql:

We first tried to run netcat on the vulnerable machine, to get the reverse shell, but it seems that it does not allow to run commands with -e flag. So, we have another alternative in mind, using a python code we could get our reverse connection.

]]>http://blog.safetechinnovations.com/challenges/stapler-writeup/feed/0Fuku Writeuphttp://blog.safetechinnovations.com/challenges/fuku-writeup/
http://blog.safetechinnovations.com/challenges/fuku-writeup/#respondTue, 14 Jun 2016 08:57:58 +0000http://blog.safetechinnovations.com/?p=200Read More ]]>There are lots of ways for exploiting Fuku, a machine which is not so easy to compromise – at least not for the patienceless, as it has some interesting defense mechanisms – some of them you will discover below, some of them I’ll let you discover

Today, I’ll show you my way.

First of all, a scan to discover all opened ports is needed…so I used nmap.

nmap -A -SV -v -p- 172.16.100.61

It seems that all ports are opened.

Trying with netcat on some random ports reveal that the messages returned are very similar on each of them, only the reported version of Apache varies a little:

It is clear that this machine is configured to mislead and make an attacker’s life harder when trying to discover running network services.

While nmap seems useless, it is time to use other alternatives.

Thinking that there are good chances the vulnerable machine could run some web application, I had fired-up wfuzz, and the only “unusual” part this time is that we will not fuzz directories and files, but ports instead:

After some time of waiting we got our port: 13370

Another tool for port scanning is amap, known as the first tool to perform application protocol detection. While superseded by nmap with years, as the amap’s authors mention “ in some circumstances amap will yield better results, but these are rare”, I gave it a chance:

amap -b1q 172.16.100.61 1-65535 | grep -v FUKU

Amap proved to be very useful and helped me identify the open ports where nmap and other scanners failed.

On the host the port 13370 is running an web application which is easily identified as Joomla CMS.

One thing to be noted also is that in robots.txt, a file cought my attention – flag.txt with the following contents:

After a quick look-over we can see that the web application is using a plugin for playing media content, HD FLV player which has known vulnerabilities described in:

After some time of waiting, 5 minutes or so, we try to login over ssh as root with our known password and…….yesssss, it works

Now all we have to do is to list the content of flag.txt file which resides in /root directory:

1,611 total views, no views today

]]>http://blog.safetechinnovations.com/challenges/fuku-writeup/feed/0AT&T – Old version of JBoss and default credentialshttp://blog.safetechinnovations.com/pentest/att-old-version-of-jboss-and-default-credentials/
http://blog.safetechinnovations.com/pentest/att-old-version-of-jboss-and-default-credentials/#respondTue, 26 Aug 2014 10:12:46 +0000http://blog.safetechinnovations.com/?p=189Read More ]]>I found an old JBoss console on one of the AT&T subdomains https://espcare.att.com/

There was an old version of JBoss web application, the application was vulnerable to authentication bypass, not to mention that I was able to authenticate with default username and password.

Risk: I was able to deploy my desired application on the server and to send system commands.

I’ve made an responsible disclosure on 17.03.2014.

They asked me 2 questions:

“Our development team is needing answers to the following questions:

1. Would upgrading our JBOSS version will fix the issue? If yes, what version is being recommended as there could be a case where we need to check inter compatibility between multiple software we have installed on the server.

2. Do we need to change the credentials of jmx console?”

I tried hard not to be ironic when giving the answers.

They announced me on 17.05.2014 that they solved the problem!

614 total views, no views today

]]>http://blog.safetechinnovations.com/pentest/att-old-version-of-jboss-and-default-credentials/feed/0Parse.com security problemhttp://blog.safetechinnovations.com/pentest/parse-com-security-problem/
http://blog.safetechinnovations.com/pentest/parse-com-security-problem/#respondTue, 26 Aug 2014 09:38:23 +0000http://blog.safetechinnovations.com/?p=158Read More ]]>This is a writeup for a security problem in parse.com website. Parse.com is an acquisition of facebook and every security problem on this website is eligible for a bounty in the facebook bugbounty program.

There was a problem with the download URL for important information about the applications you manage on your account.

The proof of concept bellow was made on: Windows 7 Ultimate and was tested on IE, Chrome and Firefox.

Go to your parse.com account and try to download a file with important data:

After pressing the button from the image above, the following request is sent to the server:

The victim will download an html file that contains our malicious html+javascript payload. The payload above will copy all the text is after <h1 id=’test’>,will encode it on base64 and it will send to my controlled server.